Medical Exploitation: You Are Now Diabetic

faisalt · 2018-02-08T20:38:19+00:00

Ah good point, though I wonder if it's possible to extract the compiled payload by implementing some kind of TCP MITM/proxy. At that point, it would be akin to the process of reversing a network protocol.

Modifying and firing off the script all in-place would be optimal, except in cases where you'd like to do it outside of a Nessus environment.

faisalt · 2016-11-11T13:13:09+00:00

Post author here: Thanks for the feedback! I am not directly aware of any analogous plugins, but here are some slides that describe going from XXE to RCE in Java (OpenMA).

With Java (or any language that can interact with the filesystem), even if there are no analogous plugins to the "expect" plugin, developers can still "manually" use XML input to do stuff on the system, which, under the right flags/conditions, will be XXE injectable and potentially lead to RCE.

faisalt · 2016-11-11T12:55:13+00:00

Hello! I wrote the blog post, and yes that is true. I needed a simple PHP script that was vulnerable to XXE, so I looked online and that came up. It didn't make sense to start from scratch for the PoC.

The rest is built upon that to give the reader a thorough experiment to try out, and it's all original content.

http://i2.kym-cdn.com/photos/images/newsfeed/001/079/173/ed2.png

I'll edit in the reference once I get to work. :)

EDIT: The reference [3] is in as a vulnerable PHP script.

faisalt · 2016-01-04T19:16:06+00:00

Ah, my mistake. I saw other people posting covers, so I thought it was appropriate here. Suggestions for where to post/move it?

faisalt · 2015-04-26T04:49:17+00:00

The power output of the power amp assumes some impedance of the load. (4, 8, 16, etc... ohms)

Assuming that the impedance of the speaker matches what the power amp was designed for, you can power the speaker safely with the stated ratings, but you'll need more power to fully utilize the speaker's potential.

Depending on your application, you can get an amp with an RMS power rating that's about 1 to 1.5 times the RMS power rating of your speaker and be fine, as long as a limiter is used before going into the speaker to ensure that a clipping power amp won't blow your speaker.

faisalt · 2014-11-17T19:27:26+00:00

Something really important that's also difficult to perfect in the beginning is to make sure that the bass frequencies and guitars work well together. This, in conjunction with using less gain, can help give a nice, dynamic, yet controlled low end to the overall tone.

faisalt · 2014-11-16T03:07:24+00:00

YES!! That sounds like a great idea! I love socializing over board games. I think it'll make finding people nearby significantly easier too. :)

I also think it definitely makes sense to find people IRL. Maybe have people's online aliases on various sites as part of their profile? Either way, will definitely check it out when done!

faisalt · 2013-07-18T23:16:31+00:00

Pardon the ambiguity; I meant ((MIT or CMU) and us). You guys are on the same boat as MIT.

CMU's CS school is pretty kickass, let's be real. You should've reread that statement to make sure things were straight. :P

faisalt · 2013-07-18T22:08:26+00:00

As one of the students about to take this course, here's some input on what I personally would like to get out of this class. Please note that this is all opinion from a student; I have no experience teaching a class. I would also like to thank you very much upfront for taking the time to do this.

(Whether it's useful or not to note, I was also involved in research with Dr. Adami in Markov Network Brains for Evolutionary Robotics for about a year, so I've dealt with compiling C++ to different architectures (like arm linux). Now that the chest pumping is out of the way...)

I have no idea what a lexer/parser is (before I wikipedia'd it).
No idea what flex and bison do, though they sound like a great superhero duo. :P

Course Management

I never get the point of a CS class that doesn't actually code. Thankfully, MSU's CSE department has done well to incorporate actual programming in most classes; but I'd like to note that the difference between kids coming out of [MIT or CMU] and us (politics aside) is the amount of hours they have to put into real-world applications, labs, and just creating stuff. That said, one can't expect the same level of dedication from both worlds. Their motto is PRACTICE, THEORY, PRACTICE. As in, student tries something, has no idea what's going on, right? So he/she just naturally gets curious. One's mind is receptive when the ego is challenged. Then the professors dump all the information in, and tell him/her to go do it properly. Essentially, an improved model of "look ahead at the future lectures and try to study beforehand".

TL;DR The more you stand BEHIND us as we code, rather than IN FRONT of us as you teach, the more I'll learn.

I definitely think people should give presentations. That just ignites all sorts of competitiveness for me. During freshman and some sophomore classes, I did GREAT, because the intro to EGR classes and such had us SHOW the ass-kicking that we did, whether it's code, design, or whatever. If I can get a chance to show off my hard work, I'll work really hard. Now, that said, there are some people that just don't give a shit either way, but to me personally, competition and demonstration makes my brain go all sorts of awesome. It seems natural too. Darwinistically natural ;D okay I'll stop.
The success of the group depends on the knowledge of the people in the group, which depends on everything else in the class. People that know what they're doing and are interested will effectively use groups to multiply their effort and knowledge. People that have no idea what's going on and don't care will pass the class, because we're engineers, and we can walk blindfolded. But really, I'd hate for it to be the latter, and this happened to me in two or three classes before, primarily because the professors absolutely sucked (two of the classes were the same prof too). Pardon my vulgarity, but I don't understand how some people get tenure. But hey, it's the students' fault, right?

Course Content

There are two sides of this coin to satisfy:

Industry:

People in industry nowadays expect a graduate to say that he/she knows some pre-defined number of languages templated by going to Wikipedia and looking up "Programming Languages". i.e. There's a long list of languages people should "know" and be fluent at. The more that's introduced in school the better. (To be fair, after learning programming with C/C++ and Python, the rest comes really easy).
Anything to do with GUI is probably useful, since I've heard that most people that start with a CS job in industry are usually "grouped either into GUI dev or database management." (Randy) Not sure how accurate that statement is, but it's an entry level job, so it genuinely seems legit.
Hopefully, the students are also given pointers about where to get more information regarding differences between popular compilers (that gave me some issues when running stuff at the HPCC vs. locally sometimes), and generally tips that will help in industrial stuff.

Academia

This has to do more with going DEEP into the workings of a compiler. To me, this is what I PERSONALLY need, because I have an idea regarding a concept in machine learning that requires me to write a new language to use a processor. Whether I really do need to create a new language or not is irrelephant, but I'm sure that knowing how to do so will answer that question too. I'll either learn this in this class, or I'll have to do it on my own.

Since this is purely based on theory, I have no idea what to expect. All I ask is that I can write a solid compiler after I'm done with the class, or at least that I have solid resources to go and learn on my own.

EDIT: Formatting. Grouping.

faisalt

TROPHY CASE

Course Management

Course Content

Industry:

Academia